ArgumentError at Localhost

Trying to update an existing app from Rails 4.2 to 5.2 (currently in Rails 5.0)

Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.

issue inside index.html.erb

<%= link_to_export(“Films”, params) %>

Anyone know of a solution to fix this.

#application_helper.rb

def link_to_export(text, params)

if current_user.admin?

link_to url_for(params.merge(format: “csv”)), class: “btn btn-default” do

content_tag(:i, nil, class: “fa fa-download”) + " " + text

end

end

end.

Sure. You'll need to either shim the call to raw params with something like params.to_insecure_h, or actually fix the problem by selecting the specific params you mean with a strong parameters accessor method, something like

def nav_params
  params.permit(:controller, :action, :id)
end

and then refer to nav_params.merge... in your method instead of blindly taking all comers. Obviously you'd need to expand that list of allowed parameter to include any other params your actual URLs rely on (query strings, etc.). The nouns you express in that list should come from your routes file.

Walter

#film.rb
def self.to_csv(options = {})

CSV.generate(options) do |csv|

csv << %w(Serial Formula Width Length Area Shelf SO Phase)

all.join_dimensions.each do |f|

csv << [f.serial, f.formula, f.width, f.length, f.area, f.shelf, f.sales_order_code, f.phase]

end

end

end

#film_movement.rb

def self.to_csv(options = {})

CSV.generate(options) do |csv|

csv << %w(Serial Formula Width Length Order User DateTime)

all.each do |m|

csv << [m.serial, m.formula, m.width, m.length, m.sales_order_code, m.created_at]

end

end

end

end

line_item.rb

def self.to_csv(options = {})

CSV.generate(options) do |csv|

csv << %w(SO# Type Custom-W Custom-L Pieces Wires Busbars Note)

all.each do |o|

csv << [o.sales_order_code, o.product_type, o.custom_width, o.custom_length, o.quantity, o.wire_length, o.busbar_type, o.note]

end

end

end

#master_films.rb

def self.to_csv(options = {})

types = defect_types

CSV.generate(options) do |csv|

csv << %w(Serial Formula Mix/g Machine ITO Thinky b* Chemist Operator Inspector EffW EffL) + types

all.each do |mf|

csv << [mf.serial, mf.formula, mf.mix_mass, mf.machine_code, mf.film_code_top, mf.thinky_code, mf.b_value, mf.chemist, mf.operator, mf.inspector, mf.effective_width, mf.effective_length, mf.yield] + types.map{ |type| mf.defect_count(type) }

end

end

end

#sales_order.rb

def self.to_csv(options = {})

CSV.generate(options) do |csv|

csv << %w(SO# Customer Released Due Ship-to Status Shipped Note)

all.each do |o|

csv << [o.code, o.customer, o.release_date, o.due_date, o.ship_to, o.status, o.ship_date, o.note]

end

end

end

Is there documentation for this fav_params?

#film.rb
  def self.to_csv(options = {})
    CSV.generate(options) do |csv|
      csv << %w(Serial Formula Width Length Area Shelf SO Phase)
      all.join_dimensions.each do |f|
        csv << [f.serial, f.formula, f.width, f.length, f.area, f.shelf, f.sales_order_code, f.phase]
      end
    end
  end

#film_movement.rb
  def self.to_csv(options = {})
    CSV.generate(options) do |csv|
      csv << %w(Serial Formula Width Length Order User DateTime)
      all.each do |m|
        csv << [m.serial, m.formula, m.width, m.length, m.sales_order_code, m.created_at]
      end
    end
  end
end

line_item.rb
def self.to_csv(options = {})
    CSV.generate(options) do |csv|
      csv << %w(SO# Type Custom-W Custom-L Pieces Wires Busbars Note)
      all.each do |o|
        csv << [o.sales_order_code, o.product_type, o.custom_width, o.custom_length, o.quantity, o.wire_length, o.busbar_type, o.note]
      end
    end
  end

#master_films.rb
def self.to_csv(options = {})
    types = defect_types
    CSV.generate(options) do |csv|
      csv << %w(Serial Formula Mix/g Machine ITO Thinky b* Chemist Operator Inspector EffW EffL) + types
      all.each do |mf|
        csv << [mf.serial, mf.formula, mf.mix_mass, mf.machine_code, mf.film_code_top, mf.thinky_code, mf.b_value, mf.chemist, mf.operator, mf.inspector, mf.effective_width, mf.effective_length, mf.yield] + types.map{ |type| mf.defect_count(type) }
      end
    end
  end

#sales_order.rb
def self.to_csv(options = {})
    CSV.generate(options) do |csv|
      csv << %w(SO# Customer Released Due Ship-to Status Shipped Note)
      all.each do |o|
        csv << [o.code, o.customer, o.release_date, o.due_date, o.ship_to, o.status, o.ship_date, o.note]
      end
    end
  end

Is there documentation for this fav_params?

I'm not sure what your question refers to. There's no other instance of fav_params in the code you've quoted here. These are all models, not controllers, and models don't have access to the params. Read the Rails Guide about Strong Parameters. Start here: http://guides.rubyonrails.org and pick the version of Rails you are currently stuck in. You have to define the rules of the road for your application. Rails 2.3 used to do this with a macro in the model called attr_accessible. This changed to strong parameters (in the controller) in Rails 4.

Walter